LDAP(Active Directory) password AND groups not working together

Phil Mayers p.mayers at imperial.ac.uk
Mon Jun 26 10:46:43 CEST 2006 

duckeo wrote:
> 
> It matches a DEFAULT line in users, but doesn't send the reply? It

You're misunderstanding how FreeRadius works when processing the request 
I think. Broadly, it does this (the behaviour can be changed - see 
doc/configureable_failover for details):

  1a. For each entry in "authorize":
     execute module
     if reject: send reject and stop
     else go to next module
  1b. If Autz-Type has been set, repeat 1a for the matching Autz-Type 
subsection of authorize
  2. Execute exactly one section from "authenticate" to actually process 
the request

I'm not entirely certain, but I think you're expecting that your:

DEFAULT Auth-Type := Reject
	Reply-Message = "some text"

...will be used if/when the request is rejected, which is not so. The 
entries in the users file are processed in order until one matches. If 
that entry matched, it would immediately reject the request.

There is not AFAIK an easy way to set the Reply-Message in a reject 
generated by the ldap module. It can almost certainly be done - see 
doc/configureable_failover - but why bother.

Also, you're setting Auth-Type. With the exception of setting it to 
Reject and some specialised cases, you do not usually want to do that. 
See copious comments about such in the list archives. In your case, your 
users file need only read:

DEFAULT Ldap-Group == "RadiusWirelessVPN"
        Service-Type = Framed,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        Framed-IP-Netmask = 255.255.255.255,

DEFAULT Auth-Type := Reject
        Reply-Message = "You are not in the VPN group"


> continues to try to authenticate the user, and on the second time
> fails to bind (due to incorrect credentials) and doesn't match the
> line in Users:

Yes, because FreeRadius is long done with matching the users file by 
that point.

> rlm_ldap: Bind failed with invalid credentials
> rlm_ldap: 80090308: LdapErr: DSID-0C090334, comment:
> AcceptSecurityContext error, data 52e, vece
>  modcall[authenticate]: module "ldap" returns reject for request 2
> modcall: group Auth-Type returns reject for request 2
> auth: Failed to validate the user.
> 
> And instead sends back via radius (in an Access-Reject packet):
> Reply-Message=80090308: LdapErr: DSID-0C090334, comment:
> AcceptSecurityContext error, data 52e, vece

I agree returning this isn't terribly helpful (then again, it isn't a 
terribly helpful error message from AD, but I've come to expect that). 
If you really must change the text of this reply message, you could try 
executing an attr_rewrite module in the post-auth section, REJECT 
sub-section, like so (untested):

modules {
   attr_rewrite aderrmsg {
     attribute = Reply-Message
     searchin = reply
     searchfor = "^.*$"
     replacewith = "password incorrect"
   }
}

authorize {
   ..blah..
}

authenticate {
   ..blah..
}

post-auth {
   Post-Auth-Type REJECT {
     aderrmsg
   }
}

More information about the Freeradius-Users mailing list